Support Skift’s Independent Journalism

More travel professionals get their industry news from Skift’s trusted editors and reporters than any other source.

Remember those massive headline-grabbing fines that the UK’s data protection regulator handed out to Marriott and British Airways last year?

The two proposed penalties — Marriott at $130.4 million (£99.2 million) and British Airways at $241.1 million (£183.4 million) — came within a day of each other last July, but not much has been heard since then.

Well, it looks like we’re going to have to wait a bit longer to see how big a hit — if any — the two companies will face. The Information Commissioner’s Office (ICO) said that separately both British Airways and Marriott had “agreed to an extension of the regulatory process until 31 March 2020.”

The ICO added that in both cases, “the regulatory process is ongoing, we will not be commenting any further at this time.”

So, what should we read into this delay?

Heading for a Climbdown?

The decision to push for more time — and the agreement of both companies — points to some degree of conciliation.

Although the punishments handed out to both Marriott and British Airways were several orders of magnitude higher, it’s worth remembering that the headline amounts were only provisional figures. In both cases the ICO said it would “consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision.”

Might the regulator now be preparing the ground for a significant climbdown?

“Although one is generally loath to make predictions, it is sometimes interesting to speculate. With that in mind, it would perhaps not be enormously surprising to find out that the proposed fines for British Airways and Marriott don’t materialize, or — at least — aren’t of the size they were initially proposed to be,” wrote Jon Baines, a data protection advisor for law firm Mishcon de Reya, in a blog last November.

Interestingly, Baines suggested that the whole procedure might have been unintentional. The ICO frequently serves notices of intent that are not made public, but because of the money now involved — thanks to the new beefed-up data laws — both Marriott and British Airways had to go public via stock market announcements, pushing the action into the public realm.

The regulator is now in a position where any significant reduction in the level of fine would make it look toothless — and therefore the higher level of fines allowed under the new regime pretty pointless.

“It’s standard practice for the ICO to issue penalties for security foul-ups — they did it for 10 years under the old Data Protection Act, so fines at some level is no surprise,” said Tim Turner, a data protection expert and director of 2040 Training.

“However, these would be the biggest data protection fines anywhere in Europe, and the ICO is uncharacteristically reluctant to go ahead, despite great fanfare for action on Facebook and other big companies.”

Why Were British Airways and Marriott Fined?

In British Airways’ case, it was linked to a data breach in 2018 where around 500,000 customers had their personal data compromised. Hackers were able to access log-in, payment card, and travel booking details as well name and address information.

Skift asked British Airways about the extension and the fine. A spokesperson said: “I believe the ICO statement covers all the information, so we won’t be adding anything further. Both sides agreed (to) the extension. For your guidance, the fine was always a proposed figure and was never intended to be finalized or imposed until after the investigation as set out in the legislation.”

A spokesperson for Marriott said: “The regulatory process involving the Information Commissioner’s Office (ICO) in the United Kingdom in relation to the Starwood Data Security Incident is ongoing, and we will not be commenting further at this time. And yes, Marriott and the ICO have agreed to an extension of the regulatory process.”

Support Skift's Work

Support Skift’s independent journalism in the world’s most consequential sector. Please consider making a one-time or recurring contribution to support the serious journalism this sector deserves.